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(57) Abstract 

The invention relates to a method and 
an equipment of preventing the misuse of a 
copied subscriber identity in a mobile com- 
munication system. The use of a subscriber 
identity (IMSI) is restricted to predetermined 
terminals (MS), each having an associated 
equipment identity (IMEI) in such a way 
that: a number of allowable equipment iden- 
tities (IMEI) is defined for at least one sub- 
scriber identity (IMSI), and a data base (60) 
linking said subscriber identities (IMSI) and 
the equipment identities (IMSI) allowable to 
them is created; the terminal (MS) sends the 
terminal user subscriber identity (IMSI) and 
its dedicated equipment identity (IMEI) to the 
rest of the system; the rest of the system com- 
pares whether the equipment identity (IMEI) 
sent is allowable to the subscriber identity 
(IMSI) sent, as a response to the equipment 
identity (IMEI) sent being allowable to the 
subscriber identity (IMSI) sent, the use of the 
terminal (MS) is permitted, and otherwise the 
use is denied. 
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Preventing misuse of a copied subscriber identity in a mobile 
communication system 

FIELD OF THE INVENTION 

The invention relates to a method and system for preventing the 
5 misuse of a copied subscriber identity in a mobile communication system. 

BACKGROUND OF THE INVENTION 

Both the users and the network operator in all telecommunication 
networks have to be optimally protected against undesirable intrusions by third 
parties. Thus, various security procedures are called for in networks. The most 
10 important characteristics of network security are 1) protecting information re- 
layed by the network, and 2) authentication of network users and access con- 
trol. The most important protection mechanism in the foreseeable future is 
some kind of encryption. Authentication is a measure for ensuring that infor- 
mation is originating from the source indicated. It is typically based on pass- 

15 words and keys. Access rights are indicated as the ability to send and/or re- 
ceive via a switching channel. Also access mechanisms are based on some 
sort of password or key. 

As data transmission to mobile subscribers takes place on a radio 
connection, public land mobile networks (PLMN) are especially vulnerable to 

20 misuse of their resources by unauthorized users who eavesdrop on the infor- 
mation exchanged on the radio path. This is because radio signals may be 
listened to and sent from any place without access to user or operator equip- 
ment. It is obvious that the need for improved security is more pronounced in 
PLMN networks than in conventional telecommunication networks. 

25 The basic structure of the pan-European digital cellular radio sys- 

tem GSM (Global System for Mobile Communications) is shown in Figure 1 . 
The structure of the GSM network consists of two parts: a base station sub- 
system (BSS) and a network subsystem (NSS). The BSS and mobile stations 
MS communicate by means of radio connections. A base transceiver station 

30 (BTS) serves each cell in the base station subsystem BSS. A group of base 
stations BTS is linked to a base station controller (BSC) serving to control the 
radio frequencies and channels used by the base station BTS. The base sta- 
tion controllers BSC are linked to a mobile switching centre (MSC). A mobile 
switching centre serves to switch calls involving at least one mobile station 

35 MS. Some mobile switching centres MSC are linked to other telecommunica- 
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tion networks, such as a public integrated services network (PISN), and in- 
clude switching procedures for dealing with calls to and from these networks. 
Such mobile switching centres are called gateway MSCs (GMSC). 

Two types of data bases are involved in the routing of calls. Sub- 
5 scriber data on all subscribers is stored in a home location register HLR per- 
manently or semi-permanently, including information on the services the sub- 
scriber can access and the present location of the subscriber. An other type of 
register is a visitor location register VLR. The VLR is usually associated with 
one mobile switching centre MSC, but may serve several centres. The visitor 

10 location register VLR is usually integrated into the mobile switching centre 
MSC. Such an integrated network element is called a visited mobile switching 
centre (VMSC). When a MS is active (it has registered in the network and may 
initiate or receive a call), the majority of the subscriber data on the mobile sta- 
tion MS in the home location register HLR is loaded (copied) into the visitor 

15 location register VLR of the mobile switching centre MSC whose area the MS 
is roaming. 

The GSM system incorporates an extremely secure authentication 
system. This is also true of derivatives of the GSM system, such as the DCS, 
based on what is known as the challenge and response principle. When a 

20 subscriber contract is drawn up, the subscriber is allocated a secret subscriber 
authentication key (K,) and an international mobile subscriber identity (I MSI). K, 
is stored in a GSM network element serving this purpose and called the 
authentication centre (AUC), associated with or connected to the subscriber 
home location register (HLR). The authentication centre AUC also comprises 

25 an encryption algorithm called A8, and an authentication algorithm called A3, 
and a random number RAND generator. An encryption key K,. is generated by 
the algorithm A8 on the basis of K, and RAND. Similarly, a signed response 
(SRES) is generated by the algorithm A3 on the basis of K, and RAND. These 
three parameters, RAND, Kc, and SRES form a subscriber-specific triplet, em- 

30 ployed later in authentication and encryption. 

Referring to Figure 2, the authentication centre AUC comprises a 
data base 20 for storing the authentication key K, of each GSM network sub- 
scriber. The subscriber K, may be retrieved from the data base 20 by using the 
mobile subscriber identity I MSI as index. 

35 In order not to have to calculate and send the triplet always when it 

is needed, the AUC/HLR calculates several triplets for each subscriber in ad- 
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vance and delivers them on request to the visitor location register (VLR) and to 
the mobile switching centre (MSC), in which they are stored. The MSC/VLR 
has one unused triplet always at its disposal for each visiting subscriber. High- 
quality security presumes that the triplet is used only once for one connection, 
5 and is destroyed thereafter. 

Figure 4 shows some subscriber-specific triplets. A security pa- 
rameter file 40 comprises n triplets 1 to n for each subscriber identity IMSI. 
This reserve in the security parameter file 40 is formed when a mobile sub- 
scriber registers in a visited centre MSC and a visitor location register VLR for 

10 the first time. It is part of the subscriber data which was loaded from the home 
location register HLR in connection with the insert subscriber data message. 

Referring to Figure 5, when a subscriber has used all triplets at its 
disposal, the AUC/HLR is requested to calculate and send back a new series. 
This triplet completion procedure consists of two messages: send parameters 

1 5 and a response thereto called send parameters result. The former contains 
the IMSI of the mobile subscriber, used to retrieve for calculation of the trip- 
lets, as described in connection with Figure 2. The triplets calculated are de- 
livered to the MSC/VLR in the send parameters result message and stored 
in the visitor location register VLR. 

20 Still referring to Figure 4, a mobile station MS sends an access re- 

quest to the MSCA/LR. The latter retrieves a triplet reserved for the mobile 
subscriber from the security parameter file 40 by using the IMSI as index. On 
one hand the MSCA/LR forwards the value of Kc to the channel equipment of 
the base station controller BSC to be used in traffic channel coding, and on the 

25 other hand it forwards the value of RAND to the mobile station in an 
authentication request message. This is depicted by block 41 in Figure 4. 
On the basis of RAND the mobile station MS calculates the other values 
(SRES and of the triplet. 

Referring now to Figure 3, a copy of the mobile subscriber authenti- 

30 cation key K„ and the encryption algorithm A8 and the authentication algorithm 
A3 are stored in the mobile station. On receiving an authentication request 
message, the mobile station MS isolates RAND from the message, feeding it 
and the stored K, to the algorithms A3 and A8, respectively, for calculation of 
the signed response SRES and the encryption key K,.. The SRES calculated is 

35 forwarded to the MSCA/LR in the authentication request message in order 
to complete the authentication, as is shown in Figures 4 and 5. 
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Referring to Figure 4, the MSC/VLR isolates the value of SRES 
from the authentication request message (block 42) and retrieves the stored 
value of SRES from the file 40 (block 43). Thereafter the MSC/VLR, for this 
particular connection and before any other processing, authenticates the mo- 
5 bile subscriber by checking that the SRES calculated in the AUC/HLR and the 
SRES calculated in the mobile station (block 44) are identical. If these two val- 
ues are identical, access is permitted (block 45). Otherwise access is denied 
(block 46). 

As an example, in the GSM system the authentication of a mobile 

10 subscriber is subject to a subscriber-specific authentication unit. Thus, the 
actual terminal is not tied up with a specific subscriber. The subscriber authen- 
tication unit, e.g. a SIM card, is a processor card or a smart card to be inserted 
into the mobile station and containing data required for subscriber authentica- 
tion and radio traffic encryption, such as the authentication key K ( . In this ap- 

15 plication the subscriber authentication unit, e.g. a SIM card, refers to a proces- 
sor card associated with a mobile station and generally detachable therefrom, 
by means of which a subscriber may use a card operated mobile station. 

Thus, if a subscriber authentication unit, e.g. a SIM card (Subscriber 
Identity Module) is being used, the user does not necessarily have to possess 

20 a mobile station, but a subscriber authentication unit, such as a SIM card, in a 
way a phonecard, issued by a mobile communication system operator, is suffi- 
cient for the subscriber to make and receive calls from any mobile station of 
the system. The purpose of a SIM card is on one hand to place user authenti- 
cation data safely protected at the disposal of the mobile station, and on the 

25 other hand to offer services to the mobile station. The services include e.g. 
maintenance of the identification number (input, change etc.), maintenance of 
the data protection key, i.e. the authentication key K,, and unblocking a SIM 
card when it has been blocked as a result of too many inputs of a false PIN 
(Personal Identification Number). Unblocking a blocked SIM card is carried out 

30 e.g. by means of the PUK code (Personal Unblocking Key). 

As an alternative way to implement the authentication unit, a part 
called plug-in-SIM has been employed to insert a SIM card into mobile 
phones, this part containing the electronics of the credit-card-sized SIM card 
and being about the size of a coin. A plug-in-SIM is inserted into the telephone 

35 such that the user cannot easily exchange it. The telephone may even com- 
prise a fixed plug-in-SIM and additionally a card reader. If a card is inserted 
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into the card reader, the telephone is identified according to the external card, 
otherwise according to the fixed plug-in-SIM card. 

Thus, in the sense of this application, a mobile station (MS) consists 
of two parts, i.e. a mobile equipment (ME) and a subscriber identity module 
5 (SIM). The SIM card is defined in the GSM recommendation 02.17. The rec- 
ommendation 11.11 specifies the issues restricted by 02.17 by defining e.g. 
the protocols between SIM and ME, the exact contents and lengths of SIM 
data fields, and issues associated with the electric and mechanical connection. 
An example of a data field included in a SIM card is the IMSI (International 

10 Mobile Subscriber Identity) which identifies a mobile subscriber. Similarly, in 
the sense of this application, the concept SIM refers generally to a subscriber 
authentication unit, e.g. a SIM card, a small plug-in-SIM card, a credit-card- 
sized SIM smart card, and a subscriber authentication unit firmly fixed to the 
mobile station and containing the subscriber identity and the authentication 

15 key Kj, unless the context implies otherwise. 

In accordance with the GSM recommendations 02.17 and 11.11, 
three algorithms, A3, A5, and A8, are used. Algorithm A3 is used for authenti- 
cation, algorithm A8 for generating an encryption key, and algorithm A5 for 
encryption. Algorithms A3 and A8 are installed both to the SIM card and to the 

20 authentication centre AUC. Algorithm A5 is installed both to the mobile equip- 
ment ME and to the base station BTS. Other data also stored in the authenti- 
cation centre AUC include: the subscriber identity IMSI, the authentication key 
Kj, and version information on the algorithm used. The same data is also 
stored in the mobile subscriber's SIM card. 

25 A problem arises in the above prior art mobile communication sys- 

tem when a SIM card or the data contained therein fall into the hands of a un- 
authorized person. This may occur when the telephone is lost or stolen, or 
only the SIM card is stolen therefrom. In this case the system comprises two 
SIM cards with identical data; the original and a copy. The use of a copied 

30 card is harmful to the mobile subscriber who owns the original card regardless 
of whether the misuse is extensive or slight. Extensive misuse may become 
extremely expensive until the subscriber notices the problem in the next tele- 
phone bill. However, if the misuse is slight, the problem may remain unnoticed 
for a long time. In the scope of the present application, the use of a copied 

35 SIM card refers to any technique of using fraudulently the SIM card data of 
another mobile subscriber. 
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Thus, the object of the invention is to provide a method and an 
equipment for implementing the method so that the above problems associ- 
ated with the misuse of a SiM card or the data contained therein are solved. 
The objects of the invention are achieved with methods and systems charac- 
5 terized in what is disclosed in the independent claims. The dependent claims 
disclose the preferred embodiments of the invention. 

The invention is based on the idea that the GSM system and its de- 
rivatives are a kind of "an ideal case of mobility" wherein only the information 
included in a SIM card is needed to support subscriber mobility. The majority 

10 of mobile station users would benefit from increased security at the expense of 
mobility. The invention is based on the idea that a mobile subscriber is given 
the chance to restrict the use of his/her subscriber identity to one or a few ter- 
minals. The invention is implemented e.g. so that a data element indicating if 
the use of said subscriber identity is restricted to certain terminals is added to 

15 one of the network registers. Should the use be restricted to certain terminals, 
a list of the terminals in connection with which said subscriber identity can be 
used is also stored in the register. Later, in connection with location updating, 
an inquiry is made to the register to see if the use of the subscriber identity is 
restricted to certain terminals. In case the use is restricted, a check is made to 

20 see if the identity of the terminal which made the location updating has been 
stored in the list of allowable terminals. If the identity of said terminal is not 
stored in the list of allowable terminals, location updating is rejected. 

In the case of the GSM system and its derivatives, the register 
wherein the additional data according to the invention is stored is the home 

25 location register. In this case the subscriber identifier is IMSI and the terminal 
identifier is IMEI (International Mobile Equipment Identity). However, the iden- 
tifiers IMSI and IMEI are only intended to illustrate the operation of the inven- 
tion and not to restrict it to the GSM system nor the IMSI and IMEI identifiers. 

The invention improves the security of a mobile communications 

30 system against misuse. The changes needed to implement the invention can 
be restricted to a distinctly definable small area, mainly to the software control- 
ling the home location register. Implementing the invention does in no way 
disturb the operation of such network elements to which the operation ac- 
cording the invention has not been added. 

35 The invention will be described in more detail below in connection 

with preferred embodiments with reference to the attached drawings of which: 
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Figure 1 shows the parts of a mobile communication network rele- 
vant to the invention; 

Figures 2 to 5 illustrate subscriber authentication in a prior art GSM 
system; and 

5 Figure 6 is a flow diagram illustrating subscriber authentication ac- 

cording to the invention; 

Figure 7 shows a data base used in subscriber authentication; and 
Figure 8 is a signalling diagram illustrating subscriber authentication 
according to the invention. 

10 Referring to Figures 6 to 8, when the operation according to the in- 

vention is taken into use, a table 60 for storing the terminal identities (IMEI, 
columns 62 to 64) allowable to said subscriber identity (IMSI, column 61) is 
created in connection with the home location register HLR. An existing table, 
file or data base may alternatively be expanded to include the data of table 60. 

15 In the GSM system used as an example, the subscriber identity is IMSI and 
the terminal identity is IMEI. Figure 6 shows a situation wherein two allowable 
terminals whose identities are IMEMa and IMEI- 1b, in columns 62 and 63, 
respectively, have been defined for subscriber identity IMSI-1. (Reference 
number 64 indicates that the number of allowable IMEI identities does not 

20 have to be restricted to two.) Only one allowable terminal, whose identity is 
IMEI-2a, has been defined for subscriber identity IMSI-2. In Figure 6 table 60 
also includes a separate data element 69 indicating whether the use of the 
subscriber identity (e.g. IMSI) stored in column 61 is restricted to one or some 
terminals whose identifiers have been stored in columns 62 to 64, respec- 

25 tively. Later in the present application the abbreviation IIV (IMSI-IMEI verifica- 
tion) is used for such a restriction. 

The form of table 60 in Figure 6 is not intended to restrict the inven- 
tion. It is feasible that a separate data element 69 is not needed, the IIV infor- 
mation being somehow implicit. In practice, this may signify that e.g. part of 

30 the subscriber number space reserved for an operator is reserved for the sub- 
scribers for whom an IMSI-IMEI coupling according to the invention has been 
activated. Alternatively, the IIV information could be deduced from the fact that 
the subscriber identity (column 61) is actually entered into table 60. If the line 
corresponding to the subscriber identity is deleted from table 60, the IMSI-IMEI 

35 coupling has not been activated and the subscriber identity may be used at 
any terminal. 
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Figure 7 illustrates subscriber authentication according to the inven- 
tion. At stage 71 the centre MSC/VLR receives a subscriber identity IMSI and 
a mobile identity IMEI MS from a mobile station in connection with location up- 
dating. The subscript MS or HLR in the IMEI indicates whether the IMEI has 
5 been received from a mobile station MS or a home location register HLR. The 
notation MSC/VLR refers to the entity formed by the centre and the visitor lo- 
cation register. In some network architectures these elements are separate, in 
others they have been integrated into a single network element. 

At stage 72 an inquiry is sent to the home location register HLR by 

10 using the IMSI received. At stage 73 the MSCA/LR receives from the home 
location register a list of IMEI codes IMEI HLR corresponding to the IMSI. At 
stage 74 a check is made to see if IIV is in use, and if not, at stage 75 the MS 
location updating is accepted. If IIV is in use, a check is made at stage 76 to 
see if the IMEI MS sent by the mobile station is included in the IMEI HLR list sent 

15 by the home location register HLR, i.e. if it corresponds to one of the IMEI HLR 
identifiers sent by the home location register HLR. If this is the case, the MS 
location updating is accepted at stage 75. Otherwise the location updating is 
rejected at stage 77 and the use of the mobile station is prohibited. 

Figure 8 is a signalling diagram illustrating subscriber authentication 

20 as regards signals between network elements. When a mobile station MS 
sends a location updating request 81 to the centre MSCA/LR, the latter sends 
to the home location register HLR a request 82 to which the home location 
register responds by sending a list 83 containing information on the IMEI iden- 
tifiers defined for said subscriber. The stages denoted by the reference num- 

25 ber 84 correspond to the checks made at stages 74 and 76 in Figure 7. If IIV is 
not in use, the MSCA/LR sends to the mobile station an acknowledgement 85 
of accepted location updating. A positive acknowledgement 85 is also sent if 
the IMEI MS sent by the mobile station corresponds to one of the IMEI HLR identi- 
fiers sent by the home location register HLR. A negative acknowledgement 86 

30 is sent if IIV is in use for said subscriber and the IMEI MS sent by the mobile 
station does not correspond to any of the IMEI HLR identifiers sent by the home 
location register HLR. 

On the basis of the above described example a wide variety of 
modifications and variations are apparent to those skilled in the art. A com- 

35 promise between the traditional GSM system and the technique according to 
the invention could be, for example, that the subscriber identity (IMSI in the 
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GSM system) not be coupled to the equipment identity (IMEI), but to an arbi- 
trary identifier chosen by the subscriber and fed by the subscriber under cer- 
tain circumstances, e.g. when switching on the telephone or in connection with 
location updating. An advantage of this alternative is that the subscriber may 
5 use any terminal. As a disadvantage may be considered the fact that an un- 
authorized user could find out the arbitrary identifier from the same source as 
the data included in the SIM card, e.g. if he/she succeeds in cracking the op- 
erator's information system. In addition, keying in an arbitrary identifier in con- 
nection with location updating would complicate normal telephone usage. 
10 Thus the invention and its embodiments are not restricted to the 

above described examples, but may vary within the scope of the claims. 
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CLAIMS 

1 . A method of restricting the use of a subscriber identity (IMSI) to 
predetermined terminals (MS), each having an associated equipment identity 
(IMEI), the method being employed in a telecommunication system comprising 

5 at least one controller (MSC), such as a switching centre; 

characterized in that in the method 

- a number of allowable equipment identities (IMEI) is defined for at 
least one subscriber identity (IMSI), and a data base (60) linking said sub- 
scriber identities (IMSI) and the equipment identities (IMSI) allowable to them 

10 is created; 

- the terminal (MS) sends the terminal user subscriber identity 
(IMSI) and its dedicated equipment identity (IMEI) to the rest of the system; 

- the rest of the system compares whether the equipment identity 
(IMEI) sent is allowable to the subscriber identity (IMSI) sent; 

15 - in response to the equipment identity (IMEI) sent being allowable 

to the subscriber identity (IMSI) sent, the use of the terminal (MS) is permitted, 
and otherwise the use is denied. 

2. A method as claimed in claim 1, characterized in that: 

- in addition, a subscriber-specific condition (69) is defined for at 
20 least for some subscriber identities (IMSI), the condition indicating if the use of 

the subscriber identity (IMSI) is restricted only to the allowable equipment 
identities (IMEI); and 

- in response to the subscriber-specific condition (69) associated 
with the subscriber identity (IMSI) sent indicating that the use of the subscriber 

25 identity (IMSI) is not restricted only to the allowable equipment identities 
(IMEI), the use of the terminal (MS) is permitted irrespective of the equipment 
identity (IMEI). 

3. A mobile communication system comprising: 

- terminals (MS), each having an associated equipment identity 

30 (IMEI); 

- subscriber identities (IMSI) for identifying a number of subscribers; 

- a register, preferably a home location register (HLR), comprising 
information on the system subscriber identities (IMSI); 

- means for receiving from a terminal its equipment identity (IMEI) 
35 and the subscriber identity (IMSI) of its user, 
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characterized in that: 

- in the system a number (62 to 64) of allowable equipment identi- 
ties (IMEI-a, IMEI-b) has been defined for at least one subscriber identity 
(IMSI); 

5 - the register (HLR) has memory means (60) comprising information 

on the subscriber identities (IMSI) for which a number (62 to 64) of allowable 
equipment identities has been defined, and the equipment identities (IMEI-a, 
IMEI-b) allowable to these subscriber identities (IMSI); 

- the system comprises means (74, 76) for comparing whether the 
10 equipment identity (IMEI) sent is allowable for the subscriber identity (IMSI) 

sent and for permitting the use of the terminal (MS) only when the equipment 
identity (IMEI) sent is allowable to the subscriber identity (IMSI) sent. 

4. A system as claimed in claim 3, characterized in that 

- the system further comprises subscriber-specific information (69) 
15 indicating if the use of a subscriber identity (IMSI) is restricted only to the al- 
lowable equipment identities (IMEI-a, IMEI-b); and 

- the system comprises means (74) for permitting the use of the 
terminal (MS) irrespective of the equipment identity (IMEI) in response to the 
subscriber-specific information (69) indicating that the use of the subscriber 

20 identity (IMSI) is not restricted only to the allowable equipment identities (IMEI- 
a, IMEI-b). 
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